Enterprise Security in the Age of Advanced Threats

The malware and IT security panorama has undergone a major change, and enterprise security will never be the same. Hackers have improved drastically, both in terms of volume and sophistication, new techniques for penetrating defenses and hiding malware are allowing threats to remain on corporate networks for much longer periods than ever before.

Protecting an enterprise is a challenge because an enterprise can have hundreds of thousands of computers in its network; and a criminal just needs to compromise one of them to succeed. Security companies have been protecting, trying to protect computers for decades, implementing smart tactics (trying) to ensure there is never one computer infected.

In the beginning, it was easy, the number of threats were very low, so being able to identify all threats was enough, computers were safe. Some of those threats were complex, like polymorphic viruses. Some of them, like the metamorphic ones, were a nightmare for antivirus companies, as it could take several days, even weeks, for the expert researchers to create a detection for them. The creators of these viruses were people trying to show off their abilities, how good they were, and that was it, there was no other ulterior motive.

As the internet rose, there became a clear motive: money. Once cyber-criminals figured out how to benefit financially from these attacks, things really took off, and security companies, once again, had to adjust.

The reality today is the number of new threats created is growing exponentially. In the old days a virus could take weeks or months to travel from LA to NY, now with the internet, in a few seconds a virus could go from Washington DC to Tokyo.

Blacklisting is one tactic traditional anti-virus companies have used to fight cyber-crime. Blacklisting has decades of experience and included accurate signature detections, capable of effectively detecting hundreds of millions of malware samples. On the negative side, blacklisting comes with a lot of uncertainty. Their goal is to find malicious software, anything considered non-malicious is allowed, even though the security vendor and the customer have no idea what it is and what it is doing.

To make up for this uncertainty, we have also seen the tactic of whitelisting. Whitelisting can work well as it only allows goodware to be executed through the system. However, just like blacklisting, there are pitfalls with this method, including trojanized programs.

Both blacklisting and whitelisting worked well for a while, but in the age of advanced threats, they can no longer be counted on as the sole method. What happens when there is not malware involved in an attack? Neither of these models work, because at the end of the day they are two sides of the same coin, eliminating malware. Cyber-criminals can try and fail a million times, but as soon as they get it right once, they win. It’s not a level playing field, and our solutions need to evolve to get ahead.

Malware was only used in a 51% of the cases, half did not include malware at all! Which means that both approaches (blacklisting or whitelisting) do not work, and won’t protect your business.

So, where do we go from here? What does an advanced cyber-security solution need to look like for enterprises in 2018 and beyond?

Classification of all files using

Blacklisting: As explained these technologies have their limitations, but at the same time they are excellent at doing what they must do (detecting malware)

Whitelisting: With it, we can eliminate the uncertainty caused by blacklisting

Automation The only scalable & viable way to classify all files is through automation, providing the best possible accuracy.

Real Time Monitoring Goodware is already being used successfully by attackers, so we need to know everything that is happening in each computer in real time, including detecting malware-less attacks.

Forensics It doesn’t matter how good we are, cyber-criminals will eventually compromise a computer, we cannot always outsmart them. That’s why having this last component is essential. As soon as a security breach is detected, with forensics we can answer all the questions that need to be answered: what has happened? When did it happen? How did the attackers enter? What have they done?

Including all of these components is an uphill battle for security vendors, but as an industry, we know what it takes to combat the most sophisticated cyber-attacks in history. Now, it’s a matter of execution, and businesses recognizing how important security is to their objectives.

About the Author: @Luis_Corronshas been working in the security industry for more than 17 years, specifically in the antivirus field. He is the Technical Director at PandaLabs, the malware research lab at Panda Security. Luis is a WildList reporter, and a top-rated industry speaker at events like Virus Bulletin, HackInTheBox, APWG, Security BSides, etc. Luis also serves as liaison between Panda Security and law enforcement agencies, and has helped in a number of cyber-criminal investigations.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.